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Abstract. In [1], they gave the notions of security for the symmetric 
encryption and provided a concrete security analysis of the XOR, CTR, 
and CBC schemes. Among the three schemes, the CTR scheme achieves 
the best concrete security in their analysis. In this paper, we propose the 
new schemes, CTR-OFB and CTR-CFB, which have the security as same 
as that of the CTR scheme on the point of the concrete security analysis 
and achieve higher resistance against some practical attacks than the 
CTR scheme. 

Keywords: Modes of Operation, Concrete Security, Pseudorandom 
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1 Introduction 

The DES has four modes of operation in [11]. The four modes are the ECB, 
CBC, CFB, and OFB. Since DES modes of operation were introduced, many 
other modes of operation for block ciphers have been suggested and analyzed. 
Moreover modes of operations for block ciphers received much attention lately, 
partly due to an announcement by NIST that they are considering an update 
to their list of standardized. In [12] several modes of operation were suggested, 
such as the ABC, CTR, lACBC, ICPM, OCB, XCBC, and etc. 

S.Goldwasser and S.Micali was the first to introduce the formal notions of 
security for encryption [7]. They presented two notions of security for asym- 
metric encryption, semantic security and polynomial security, and proved them 
equivalent with respect to polynomial- time reductions. M.Bellare et aL[l] pre- 
sented the four notions of security for symmetric encryption in the framework of 
concrete security under the attack assumptions of chosen- plaintext attack(CPA) 
and chosen- ciphertext attack(CCA): 

1. Left-or-Right indistinguishability (LOR) 

2. Real- or- Random indistinguishability (ROR) 

3. Find-then-Guess security (FTG) 

4. Semantic security (SEM) 

K. Kim (Ed.): ICICS 2001, LNCS 2288, pp. 103-113, 2002. 
(c) Springer-Verlag Berlin Heidelberg 2002 



104 Jaechul Sung et al. 



They proved the first two notions are security preserving under the any attack 
assumption and the last two notions are also security preserving. Furthermore 
the first two notions are the stronger notions of security than the last two no- 
tions. Therefore showing an encryption scheme LOR or ROR secure implies tight 
reductions to all other notions but showing an encryption scheme FTG secure 
or SEM secure does not. So, if the bounds are equal, it is better to demonstrate 
security with respect to one of the first two notions, since that immediately 
translates into equally good bounds for the other notions. With the notions of 
security, especially left-or-right indistinguishability(LOR), they proved the con- 
crete security analysis of the XOR, CTR, and CBC Schemes. 

The counter (CTR) mode was originally introduced by W.Difiie and M. 
Hellman in 1979 [6]. Recently H.Lipmaa, P.Rogaway, and D. Wagner suggested 
the CTR mode in standardizing AES modes of operation [12]. The CTR mode 
has significant efficiency advantages, which can be preprocessed because of the in- 
dependence of message blocks and easy to random- access. Furthermore the CTR 
mode gives the better concrete security than the XOR and CBC schemes [1]. 

In this paper we define new modes of operation for block ciphers. The 
new modes of operation are counter-based- OFB(CTR-OFB) mode and counter- 
based-CFB mode(CTR-CFB), which provide the concrete security as same as 
that of CTR mode. Although the CTR scheme changes the input bits of the 
underlying function serially, our scheme can randomize some input bits. So this 
can have more resistant against the SQUARE- type attacks [5,8] and the con- 
ventional differential attack with low hamming weight differential than the CTR 
scheme. Also our new schemes provide the better concrete security than the OFB 
and CFB schemes, which achieve the same concrete security as the CBC scheme 
does. 

This paper is organized as follows. In Section 2 we give some preliminary 
definitions, the notions of security, and some results of [1]. In Section 3 and 4 we 
propose the new modes of operations and prove the concrete security. In Section 
5 we summarize our conclusions. 

2 Preliminaries 

In this section we describe some relevant definitions. Our treatment follows that 
of M.Bellare, K.Kilian, P.Rogaway [2], and M.Bellare, A.Desai, E.JokiPii, and 
P.Rogaway [1]. 

In [1], they considered the four definitions of security for symmetric encryp- 
tion under the two attack assumptions of chosen-plaintext attack (CPA) and 
chosen- ciphertext attack(CCA). Here we will only consider the notion of the 
left-or-right indistinguishablity(LOR) under the CPA model, which gives the 
other three notions with comparable bounds. 

We define that a < — A(xi,X2, . . .) denote the experiment of running A on 
inputs xi, a:2, . . . if ^(-j *?•••) is any probabilistic algorithm. Let fl = (K, E, D) be 
an encryption scheme, where algorithm K is the key generator, E is the encryption 
algorithm, and D is the decryption algorithm. 
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The approach to concrete security is via parameterization of the resources 

of the adversary A. Let t be A^s running time, ge be the number of encr3^ption 
oracle queries, and /^e be the amount of the ciphertext A sees in response to its 
oracle queries. 

In the LOR sense adversary is allowed queries of the form (xo,xi) where xq, 
are equal length messages. Consider the two different games. In the first, each 
query is responded to by encrypting the left message. In the second, it is right 
message. In formal definition, the left-or-right oracle is defined by Efe(Z/i?(-, 6)), 
where b G {0, 1}, to take input {xo,xi) and do the following: 

If 6 = 0, it computes O <— Ek{^o) and return O. 
If 6 = 1, it computes O <— Bk^^i) and return O. 
Now we can define the LOR- CPA as the following. 

Definition 1. [Ij Let SE = (K, E, D) be a symmetric encryption scheme. Let 
b € {0, 1} and k G N, Let 

Acpa be an adversary has access to the oracle 
E-K^LR^-, ■, 6)). Consider the following experiment: 

Experiment Exp^°£^^^-^(A;) 

K ^ K(k) 

Return d 

Define the advantages of the adversary via 

Define the advantage functions of the scheme as follows. For any t^q^^fjie, 

If a reasonable adversary cannot obtain the significant advantage, we consider 
an encryption scheme to be good. In the similar way we can define the LOR-CCA 
with the decryption oracle. For details, see [1]. 

We will consider the symmetric encryption schemes based on finite pseudo- 
random functions(PRFs) or permutations (PRPs) [2]. Let Rand!^^^ be the family 
of all functions from {0, 1}^ to {0, 1}^ and Perm} be the family of all permu- 
tations on {0, 1}^ We will not define PRFs and PRPs for detail. The following 
implies the relation of the advantage between PRFs and PRPs. 

Proposition 1- [1] For any permutation family P with length I, 

j^<i^p;f{t,q) < Adv?r^(i,9) + ^ . 

Now we will see the concrete security of the symmetric encryption schemes, 
i.e., the XOR, CTR, and CBC schemes, using RFs(random functions), RPs 
(random permutations), PRFs, and PRPs. Let a function family F be input 
length Z, output length Z/, and key-length k. To specify the function we will use 
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/ = The foUowings are specified the XOR, CTR, and CBC schemes respec- 
tively. The message x to be encrypted is regarded as a sequence of Z-bit blocks, 
X = x\ • ' ' Xn, and let r be the nonce and addition is modulo 2^ 

- The XOR scheme: XOR[F] = (K-XOR, E-XOR, D-XOR) 

The key generation algorithm K-XOR just outputs a random k-hit key K 
for the underling function family F, thereby specifying a function / = Fk 
of Z-bits to iv-bits. Define E-XORi<:(x) = E-XOR^^ (x) and D-XORi<:(;^) = 
D-XOR^^(;2:), where: 



function E-XOR^ (x) 

r ^ {0, ly 

for i = 1, ' ' ,n 

do Ui = /(r -\- i) 
return r\\yiy2 " - Vn 



function D-XOR^ {z) 

Parse z as r||yi • • • 
for i = 1, ' ' ,n 

do Xi = /(r 
return x = xxX2 • • • Xn 



The CTR scheme: CTR[F] = (K-CTR, E-CTR, D-CTR) 

The key generation algorithm K-CTR is the same as the XOR scheme, 
meaning just outputs a random k-hit key K for the underling function 
family F. Define E- CTH k , ctr) = E-CTH^^ (x , ctr) and D-CTIiK(z) = 

D-CTR^^(z), where: 

function D-CTR^ (z) 

Parse z as ctr\\y^ - - - Vn 
for i = 1 , • • • , n 

do Xi = f{ctr + 0 
return x — x^x^ - - - Xn 



function E-CTR^ (x, cir) 
for i = 1 , • • • , n 

do yi = f{ctr + i) ® 
ctr ^ ctr + n 

return (ctr, ctr\\yiy2 • • • yn) 



The CBC Scheme: CBC[F] = (K-CBC, E-CBC, D-CBC) 

The key generation algorithm K-CBC is the same as the XOR scheme, mean- 
ing just outputs a random A;-bit key K for the underling permutation family 

F(The CBC Scheme is required that I = L) . Define E-CBCK:(a:) = E- 
CBC^^(x) and D-CBCi^(z) = D-CBC^^(z), where: 



function E-CBC^(a:) 

yo ^ {0, 1}^ 

for i = 1, • , n 

do yi = f(yi-i e Xi) 
return yo\\yiy2 ' - Vn 



function D-CBC^(z) 
Parse z as yo\\yi - - yn 
for i = 1, ' ' ,n 

do Xi f~^{yi) ^yi 
return x = xiX2 • - - Xn 



Let us see the concrete security of the schemes. We first summarize the 
security of the XOR scheme. 

Theorem 1. [Ij [The Concrete Security of the XOR Scheme] 

(i) (The Lower Bound on Insecurity of XOR using a RF) 

Let R = RanS^^ . Then, for any t,qe, and such that yb^q^j Li < 2^, 

^^^xoR[i?](-'^'^e, A^e) > 0.316 • • 
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(ii) (The Upper Bound on Insecurity of XOR using a RF) 

Let R = RanS^^ . Then, for any qe, jLte? 

(Hi) (Security of XOR using a PRF) 

Suppose F be a PRF family with input-length I and output-length L. Then, 
for any t, q^, and = qL, 

The CTR scheme is the stateful version of the XOR scheme. This scheme 
achieves the better security than that of the XOR. The adversary has no advan- 
tage in the ideal case. 

Theorem 2. [1] [The Concrete Security of the CTR Scheme] 

{i) (Security of CTR using a RF) 

Let R = Rand^^^ . Then, for any q^y and jll^ < L2^ , 



(ii) (Security of CTR using a PRF) 

Suppose F he a PRF family with input-length I and output-length L. Then, 

for any t^ q^, and fie = min(qL, L2^), 

^^^CTR[F]('^ g^e, Me) < 2 • A^dLv^-^it, q) , 

Although in the CBC scheme ^ = is required and each F^ should be a 
permutation, we will still consider the case that is a pseudorandom function 
family (Z = L). Also we will see the case that is a pseudorandom permutation 
family. 

Theorem 3. [1] [The Concrete Security of the CBC Scheme] 

(i) (The LfOwer Bound on Insecurity of CBC using a RF) 

Let R — Rand^^^ . Then, for any t^q^, and fi^, such that jLLe < 12^, 

Adv'— > 0.316. 

(ii) (The Upper Bound on Insecurity of CBC using a RF) 

Let R = Rand^^K Then, for any t, q^, and fie. 



Adv 



lor — cpa r , \ ( ^ El\ ^ 
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(Hi) (Security of CBC using a PRF) 

Suppose F be a PRF family with input-length I and output-length I. Then, 
for any q^, and fi^ = ql, 

Adv'^°^-7^^(.,i,9e,/^e) < 2.Adv5r^(i,9) + 

{iv) (The Lower Bound on Insecurity of CBC using a RP) 

Let RP = Perm} . Then, for any t, qe{= /^e/O? Me(< 2 )^ 

(v) (The Upper Bound on Insecurity of CBC using a RP) 

Let RP = Perm} . Then, for any t, q^, and fi^, 

(vi) (Security of CBC using a PRP) 

Suppose F be a PRP family with length I. Then, for any t, q^, and fie = Q^? 

Adv'^--Ti^«(.,i,ge,/.e) < 2.(Adv?rP(t,g) + ^St) + 

In the above theorems we can see that the CTR scheme has the best security 
in a random function model. This also gives the best concrete security in a 
pseudorandom function model. The CTR model has no collision on the inputs of 
the function /. Since the function / is in a random function, the attacker have 
no information to distinguish in the LOR sense. However the XOR and CBC 
scheme may have an collision on input of / by the birthday paradox, this can 
leak some information to distinguish. This motivates our schemes. Our scheme 
pursue the CTR scheme to achieve the perfect concrete security in the random 
function model under the LOR sense. 

3 The CTR-OFB and CTR-CFB Schemes 

In the previous section we considered that the CTR mode has the best concrete 
security in the LOR- CPA sense. This comes from the collision- freeness on the 
input of the function /. Here we propose the new schemes, the counter-based 
OFB scheme and CFB scheme, which we call the CTR-OFB scheme and CTR- 
CFB scheme respectively. 

Now we define our schemes. Let a function family F be input length Z, output 
length Z/, and key- length k. To specify the function we will use / = Fk- The 
message x to be encr3^pted is regarded as a sequence of /-bit blocks, x = - - - Xn. 
Let r be the nonce with ^?-bit, addition is modulo 2^~^, and ctr be the (I — ^?)-bit 
integer. The notation a\\b means the concatenation of a and 6, and lsbj{a) takes 
j bits of a from 0 to j — 1 bit position. 
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The CTR-OFB scheme: 

CTR-OFB[i^] = (K-CTR-OFB, E-CTR-OFB, D-CTR-OFB) 

The key generation algorithm K- CTR-OFB is the same as the XOR scheme, 
meaning just outputs a random A;-bit key K for the underling function fam- 
ily F. Define E-CTR-OFBa (x, cir) = E- C TR- OFB (x, cir) and D-CTR- 
OFB ^(z) = D-CTR-OFB^^(z), where: 

function D-CTR-OFB^ 
Parse z as yoWy-^ - 

Parse yo as ^7o||c^r 
for i = 1 , • • • , n 

do Xi = fivi-^Wctr + i) e 

Vi = lsb^{f{vi-x\\ctr -\- i)) 
return x = x^x^ - - - Xn 



'>K\ 

function E-CTR-OFB^ (x, c^r) 

vo - r ^ {0, 1}^ and yo = vo\\ctr 
for i = 1, • • • , 77. 

do yi = f{vi_i\\ctr -\- i) ^ Xi 
Vi = lsb^(f (vi_^\\ctr -\- i)) 
ctr <— ctr + n 

return (ctr, yo\\yiy2 • • • yn) 



The CTR-CFB scheme: 

CTR-CFB[F] = (K-CTR-CFB, E-CTR-CFB, D-CTR-CFB) 

The key generation algorithm K-CTR-CFB is the same as the XOR scheme, 
meaning just outputs a random A:-bit key K for the underling function fam- 
ily F. Define E-CTR-CFBa (x, ctr) = E-CTR-CFB^^ (a:, c^r) and D-CTR- 

CFBk{z) = D-CTR-CFB^^(z), where: 



function E-CTR-CFB^ (x, ctr) 
r <— {0, 1}^ and yo = r\\ctr 
for i = 1 , • • • , n 

do yi = f{lsb^{yi-i)\\ctr + i) 0 
ctr <— ctr + n 
return (ctr, yo\\yiy2 " ' Vn) 



function D-CTR-CFB^(z) 
Parse z as yo\\yi " - yn 
Pa rse yo as r 1 1 ctr 
for i = 1 , • • • , n 

do Xi = f(lsb^(yi-'0\\ctr -\- i) ^ yi 
return x =^ XxX2 • • - x^ 



The above schemes are center- based and give the concrete security as same 
as the CTR scheme. We will see this in the following section. Also the CTR-OFB 
scheme can be preprocessed because of the independence of the message block. 
So we can see that our scheme have the same security of the CTR scheme on 
the concrete security point of view. 

The CTR-OFB scheme is similar to the OFB scheme and the CTR-CFB 
scheme is also similar to the CFB scheme. However, since the OFB and CFB 
schemes achieve the same concrete security as the CBC scheme does, our new 
schemes have the better concrete security than the OFB and CFB schemes. 

The modes of operation for symmetric encryption are generally using block 
ciphers. It is well known that block ciphers are diflftcult to be constructed to 
attain PRFs or PRPs. So we should see a scheme not only on the theoretical 
point of view but also on the practical point of view. 

For the most powerful known attacks on block ciphers are Differential Crypt- 
analysis(DC) [3,4] and Linear Cry pt analysis (LC) [9,10]. For the CTR scheme we 
know that inputs of / are using serially. This may give an easy way to construct 
to the chosen plaintext pairs with the low hamming weight diff^erential. If the 
underlying block ciphers have crucial weakness in this attack, the CTR scheme 
is easy to attack. However for our schemes inputs of / are the concatenation of 
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randomized v bits and I — v bit counter. This make difficult to construct the 
plaintext pairs having low hamming weight. Also the randomization of the input 
bits of the underlying function in the CTR-OFB and CTR-CFB schemes also 
give the higher resistance against the SQUARE- type attacks [5,8] than that of 
the CTR scheme. 

4 Security Analysis 

of the CTR-OFB and CTR-CFB Schemes 

Here we will see the concrete security of the our proposed schemes. We will use 
the same notations in section 2. For our scheme the function family F is with 

the input length output length L, and key length k. The following theorem 

give the concrete security of the CTR-OFB schemes. 

Theorem 4. [The Concrete Security of the CTR-OFB Scheme] 

{i) (Security of CTR-OFB using a RF) Let R = RanS^^ . Then, for 
any q^, and /^g < L2^~'^ , 

(ii) (Security of CTR-OFB using a PRF) Suppose F be a PRF family 
with input-length I and output-length L. Then, for any t^q^, and jj^e = 
min{qL,L2^-'^), 

Proof. The proof of {ii) can be achived as the same way of [1]. So we need only 
to prove (i). 

Let {Fi,Qi) be the oracle queries of the adversary A, each consisting of a pair 
of equal length messages. Let rii be the number of blocks in the i-th query. 
We denote Fi = p\ ■ - ' Pn- sind Qi = q\ - - ■ . . Let G {0, 1}"^ be the nonce 
associated to (P^, Qi) as chosen at random by the oracle, for i = 1, • • • , gg. Let 
be the orcle answers such that (rj| |ctr, y^, • • • , yl^.) ^ 0(Fi^ Qi)^ ^ = 1, * * * , ^e- 

In answering the i-th query, the oracle applies the underlying function / to 
the strings either II lsb^(j)\^y\)\\ctr + 2, • • lsb^{p\^._^^y'!^._^)\\ctr-\- 
rii or TiWctr -\- 1, lsb^(ql ^y\)\\ctr -\- 2, - lsb^(ql^._^ ^ yl^._^)\\ctr -\- ni. 

Let D be the following event, defined for either game: ri\\ctr + 1, lsb^(p\ ® 
yl)||ctr + 2, . • ., lsb^(pi^._^(^yi^._^)\\ctr-\-ni and r^Hc^r+l, lsb^(qi^y\)\\ctr-\-2, 
• • lsb^(q^._^ ® X/^i — i)ll^^^ + have no same value for i = 1, - • , qe^ We define 
Pro [•] to be the probability of an event in game 0 and Pri [•] to be the probability 
of an event in game 1. 

Claim 1, Pro[D] = Prx[D] = 1 for < L2^-'^ 

Proof: In any case we know that the input string does not have the same value 
since the values of counter are different. So the probability of each game is 1. 

Claim 2. Pro [A =\\F)\ = Fri[A = 1\D] 
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Proof: Given the event Z), we have that, in either game, the function / is eval- 
uated at a new point each time. Thus the output is randomly and uniformly 
distributed over {0, 1}^ and each block is a message block XORed with a ran- 
dom value. So we have Pro [A = 1\D] = Pri[A = 1|£>]. 
Now we compute the advantage of A as follows: 

AdV^^-T^^^[^j(-,i,ge,Me) =rr^[A=l]-Pro[A=l] 

= rri[A=l\D] • Pri[D] + Pri[A = 1\D] • Pri[D] - 
Pro[A=l\D] . Pro[D] - Pro[A = 1\D] • Pro[D] 

By Claim 1 and 2, we have Adv^^^^'^^^jj,^^^^ (•, g^e j Me) = 0* 

In the similar way, we can prove the following theorem, which gives the 
concrete security of the CTR-CFB scheme. 

Theorem 5. [The Concrete Security of the CTR-CFB Scheme] 

(i) (Security of CTR-CFB using a RF) 

Let R = Rand}^^ . Then, for any qe, and //e ^ L2^~'^ , 

A J lor — cpa / , \ 

{ii) (Security of CTR-CFB using a PRF) 

Suppose F he a PRF family with input-length I and output-length L. Then, 
for any t, qe, and /Lie = min{qL, L2^~'^), 

Adv'^-T^^5[^j(.,£,ge,Aie) < 2.Adv?r^(i,g). 

Proof This proof is as same as the proof of Theorem 4. 



5 Conclusion 

In this paper we i^ropose the new modes of operation, the CTR-OFB and CTR- 
CFB scheme. Each scheme have the perfect concrete security on the sense of [1] 
as same as the CTR mode do. The CTR scheme have the inputs of / serially. 
However our schemes can randomize some input bits of the /. We may think that 
this makes the attack difficult to anah^ze the scheme on the practical attack point 
of view, for example, the differential cryptanalysis with low hamming weight 
differential and the SQUARE- type attacks. 

The CTR mode can be preprocessed because of the independence of mes- 
sage blocks and are easy to random- access. The CTR-OFB scheme also can be 
preprocessed. But it does not permit random- access. 
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Appendix: 

The Figures of the CTR-OFB and CTR-CFB Schemes 
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Fig. 1. The CTR-OFB Scheme 
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Fig. 2. The CTR-CFB Scheme 



